Story time

After having read about the goddam awful handling of a student that hacked a university system, I’d felt that a little story could help tip these people off on how to handle students without necessarily breaking them and destroying their future.

Story Time

Kid sits in his dorm room, bored out of his skull trying to find any excuse to not cram for tomorrow’s exam. Starts fiddling with the student registration system (or whatever), finds a glaring hole, pulls up a mate’s records for kicks and prints them out. Writes a little email note to the IT admin, going something like:

“Hey, your SRS sucks. I can tell you that anyone can see anyone else’s data without even breaking a sweat. I can prove it if you like. Please fix.”

Reply from IT admin: “Kid, whatever you’re doing, stop it right now and get your ass down here to my office. Together, we’ll see if you’re right and if you are, we’ll do something about it. How’s that? We could have lunch afterwards, but on one condition: don’t touch it again in the meanwhile. Are we agreed?”

Kid: “Hey, Mr Simpson, sure thing! I’ll be there, no fail! And I promise not to touch a thing until then. What’s for lunch, btw?”

Next day.

Mr Simpson: “Ok, Kid, show me what you’ve got. Ummm…. ok, yes, that’s bad. Let’s see what we can do. I’ll try to find a fix for this, and I’ll get back to you when I’m done so we could go over this again together. Give me a week, and if you don’t hear from me, remind me, ok?”

Kid: “Yes, sir! I’d be glad to help.”

Mr Simpson: “One more thing, kid. You already saw some information you’re not supposed to see. You have to promise me to destroy it and forget it. On your mother’s head. Will you?”

Kid: “What info? I’ve already forgotten.”

Mr Simpson: “That’s my boy. The second thing is that you actually went too far and I’m going to turn a blind eye to that. The next time you suspect something’s amiss, you come to me first, and we’ll hack the system together. I can do that without having the SWAT team circle the building, but you can’t. You were lucky this time, but who knows about next time, right?”

A couple of days pass. Mr Simpson asks for Kid to come down to the IT office again.

Mr Simpson: “Can we go through what I did to the system and see if you see anything wrong with it? But you have to promise (or sign an NDA or whatever) that you’ll keep whatever you see to yourself. Ok?”

They go through what has been fixed and what has not. Then Mr Simpson delivers an exit sermon:

“Kid, this time you were lucky. You did actually trespass into the systems. Yes, I know you meant well, but this is really dangerous. Not so much to the system, it’s crap anyway, but to your future. Places like this university is full of mean, lazy, bozos that would much rather call the cops on you than listen to what you have to say. So, this is my advice to you in the future, in and out of university: if you see some potential security problem with a system, stop exploring it as soon as you have a decent suspicion, long before you have proof. Contact whoever is in charge of the system and if they’re cooperative, do as we just did. If they’re not, view them as a direct threat to your career, don’t touch another thing, don’t make yourself a suspect in the breaks of that system that will inevitably occur. Just step away quietly and save yourself for another battle. Enjoy the show from a distance when that system goes under.”

Kid: “But I didn’t know how to handle it, I was sure you people wouldn’t want to listen. Couldn’t you put up a policy about this somewere?”

Mr Simpson: “You’re a bright lad, Kid, I’ll get right on it.”

And so he did, he formulated a policy that popped up whenever a student accessed the system, and it went something like this:

“If you have concerns regarding the security of this system, please contact Mr Simpson at IT support. Please don’t hack us. Please don’t make us call in the cops. Let us work out these things together, for our sake, for your sake, and for the good name of the university.”

And they lived happily ever after.

PS: Mr Kid went on to become a CIS and had a similar policy introduced in his multinational. He then went on to win the Nobel Peace Prize in 2016. He also became famous for having introduced a new, highly secure, layered and tokenbased database access method that changed database security programming forever.